Add tests and relocate KeyPaddingUtil

Signed-off-by: Ryan Liang <[email protected]>
MaciejMierzwa · Oct 24, 2023 · 2bdd1de · 2bdd1de
1 parent de31e00
commit 2bdd1de
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 15 deletions.
diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java b/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java
@@ -32,14 +32,12 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
-import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.KeyUse;
 import com.nimbusds.jose.jwk.OctetSequenceKey;
-import com.nimbusds.jose.util.ByteUtils;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 import com.onelogin.saml2.authn.SamlResponse;
@@ -66,7 +64,7 @@
 import org.opensearch.security.dlic.rest.api.AuthTokenProcessorAction;
 import org.opensearch.security.filter.SecurityResponse;
 
-import static com.nimbusds.jose.crypto.MACSigner.getMinRequiredSecretLength;
+import static org.opensearch.security.authtoken.jwt.KeyPaddingUtil.padSecret;
 
 class AuthTokenProcessorHandler {
     private static final Logger log = LogManager.getLogger(AuthTokenProcessorHandler.class);
@@ -121,18 +119,6 @@ class AuthTokenProcessorHandler {
         this.jwsHeader = this.createJwsHeaderFromSettings();
     }
 
-    public static String padSecret(String signingKey, JWSAlgorithm jwsAlgorithm) {
-        int requiredSecretLength;
-        try {
-            requiredSecretLength = getMinRequiredSecretLength(jwsAlgorithm);
-        } catch (JOSEException e) {
-            throw new RuntimeException(e);
-        }
-        int requiredByteLength = ByteUtils.byteLength(requiredSecretLength);
-        // padding the signing key with 0s to meet the minimum required length
-        return StringUtils.rightPad(signingKey, requiredByteLength, "\0");
-    }
-
     @SuppressWarnings("removal")
     Optional<SecurityResponse> handle(RestRequest restRequest) throws Exception {
         try {

diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtil.java b/src/main/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtil.java
@@ -0,0 +1,33 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.authtoken.jwt;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.util.ByteUtils;
+import org.apache.commons.lang3.StringUtils;
+
+import static com.nimbusds.jose.crypto.MACSigner.getMinRequiredSecretLength;
+
+public class KeyPaddingUtil {
+    public static String padSecret(String signingKey, JWSAlgorithm jwsAlgorithm) {
+        int requiredSecretLength;
+        try {
+            requiredSecretLength = getMinRequiredSecretLength(jwsAlgorithm);
+        } catch (JOSEException e) {
+            throw new RuntimeException(e);
+        }
+        int requiredByteLength = ByteUtils.byteLength(requiredSecretLength);
+        // padding the signing key with 0s to meet the minimum required length
+        return StringUtils.rightPad(signingKey, requiredByteLength, "\0");
+    }
+}
diff --git a/src/test/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtilTest.java b/src/test/java/org/opensearch/security/authtoken/jwt/KeyPaddingUtilTest.java
@@ -0,0 +1,42 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.authtoken.jwt;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import org.junit.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class KeyPaddingUtilTest {
+
+    private String signingKey = "testKey";
+
+    @Test
+    public void testPadSecretForHS256() {
+        JWSAlgorithm jwsAlgorithm = JWSAlgorithm.HS256;
+        String paddedKey = KeyPaddingUtil.padSecret(signingKey, jwsAlgorithm);
+
+        // For HS256, HMAC using SHA-256, typical key length is 256 bits or 32 bytes
+        int expectedLength = 32;
+        assertEquals(expectedLength, paddedKey.length());
+    }
+
+    @Test
+    public void testPadSecretForHS384() {
+        JWSAlgorithm jwsAlgorithm = JWSAlgorithm.HS384;
+        String paddedKey = KeyPaddingUtil.padSecret(signingKey, jwsAlgorithm);
+
+        // For HS384, HMAC using SHA-384, typical key length is 384 bits or 48 bytes
+        int expectedLength = 48;
+        assertEquals(expectedLength, paddedKey.length());
+    }
+}